How Does It Work

On first start, all IAM users are imported and local users are created

The import also runs every 10 minutes

On every SSH login, the EC2 instance tries to fetch the public key(s) from IAM using sshd's AuthorizedKeysCommand

If the user is not found, login fails

If no public key is available, login fails

If the private key does not match with the public key, login fails

You can restrict that the EC2 instance is only allowed to download public keys for certain IAM users instead of * (all). This way you can restrict SSH access to certain users

As soon as the public SSH key is deleted from the IAM user a login is no longer possible

Managing SSH access on AWS can be achieved by combining IAM and sshd's AuthorizedKeysCommand. By restricting the iam:GetSSHPublicKey action to certain users you can restrict which users can access what EC2 instances. You can find the source code on GitHub. IAM public SSH keys are intended to be used with CodeCommit. My solution can be labeled a "hack."